RESOLVED INVALID 42448
crash in JSC::UString::toUInt32(bool * ok, bool tolerateEmptyString=true) 
https://bugs.webkit.org/show_bug.cgi?id=42448
Summary crash in JSC::UString::toUInt32(bool * ok, bool tolerateEmptyString=true)
stawel
Reported 2010-07-16 05:05:23 PDT
I'm getting a crash in toUInt32(...) method. in the trunk version (Revision 63120) the bug should still be present. callstack: > QtWebKit4.dll!JSC::UString::toUInt32(bool * ok=0x0192a484, bool tolerateEmptyString=true) Line 1488 + 0x20 bytes C++ QtWebKit4.dll!WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::ExecState * exec=0x13de0048, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 174 C++ QtWebKit4.dll!JSC::JSValue::get(JSC::ExecState * exec=0x13de0048, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 611 + 0xe3 bytes C++ QtWebKit4.dll!JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag flag=Normal, JSC::RegisterFile * registerFile=0x03adcbf4, JSC::ExecState * callFrame=0x13de0048, JSC::JSValue * exception=0x0192af00) Line 2081 C++ msvcr80.dll!free(void * pBlock=0x0192af08) Line 110 C QtWebKit4.dll!JSC::evaluate(JSC::ExecState * exec=0x03d5f298, JSC::ScopeChain & scopeChain={...}, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...}) Line 62 C++ QtWebKit4.dll!WebCore::evaluateInWorld(JSC::ExecState * exec=0x03ba1df8, JSC::ScopeChain & scopeChain={...}, const JSC::SourceCode & sourceCode={...}, JSC::JSValue thisValue={...}, WebCore::DOMWrapperWorld * isolatedWorld=0x03ba1e30) Line 834 + 0x27 . . . Output: Unhandled exception at 0x019f540f (QtWebKit4.dll) in 2.dmp: 0xC0000090: Floating-point invalid operation. The problem: uint32_t UString::toUInt32(bool* ok, bool tolerateEmptyString) const { double d = toDouble(false, tolerateEmptyString); bool b = true; if (d != static_cast<uint32_t>(d)) { <------------- crash b = false; d = 0; } if (ok) *ok = b; return static_cast<uint32_t>(d); } the method toDouble() probably returned a "NaN" value and the static_cast<uint32_t>(d) threw an error. Best Regards
Attachments
Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2010-07-16 12:51:33 PDT
Qt should not be using a signalling NaN
Diego Gonzalez
Comment 2 2010-07-21 07:30:43 PDT
Cannot reproduce it on Linux. Is it still reproducible on Window? Could you provide a better test case?
stawel
Comment 3 2010-07-21 07:51:32 PDT
The code was compiled Visual Studio 2005. I can't reproduce this error (don't now how), The crash callstack is from a minidump automatically send from users. (we got 1730 these crashes within a month) My explanation was only guessed.
stawel
Comment 4 2010-07-23 07:47:21 PDT
I made some research, here is an example (for linux, and windows) I guess that some other library turns on the fp exceptions. ///example.cpp #include <iostream> #include <limits> #include <fpu_control.h> using namespace std; int main(int argc, char* argv[]) { // on winodws // _control87 (0, _EM_INVALID); // on linux gcc 4.2.4 fpu_control_t fpu_cw; fpu_cw = _FPU_DEFAULT & (~_FPU_MASK_IM); _FPU_SETCW(fpu_cw); double d; // each of them work d = numeric_limits<double>::infinity(); d = numeric_limits<double>::quiet_NaN(); d = numeric_limits<double>::signaling_NaN(); if(d != static_cast<uint32_t>(d)) { // exception cout << "error\n" ; } else { cout << "ok\n"; } return 0; }
stawel
Comment 5 2010-08-04 06:10:05 PDT
I see the same problem in the file: javascriptcore\javascriptcore\runtime\jsvalue.h in method: inline JSValue::JSValue(JSGlobalData* globalData, double d) and inline JSValue::JSValue(ExecState* exec, double d) there is: const int32_t asInt32 = static_cast<int32_t>(d);
Jocelyn Turcotte
Comment 6 2014-02-03 03:50:47 PST
=== Bulk closing of Qt bugs === If you believe that this bug report is still relevant for a non-Qt port of webkit.org, please re-open it. If you believe that this is still an important QtWebKit bug, please fill a new report at https://bugreports.qt-project.org and add a link to this issue. See http://qt-project.org/wiki/ReportingBugsInQt for additional guidelines.
Note You need to log in before you can comment on or make changes to this bug.